On the Radar: Cloudmark Trident addresses spear phishing

Transcription

1 On the Radar: Cloudmark Trident addresses spear phishing Context and behavioral analysis pick up attacks that may have no malicious payload Publication Date: 17 Feb 2016 Product code: IT Rik Turner

2 Summary Catalyst Cloudmark develops messaging security technology, covering , SMS, and MMS, as well as the Domain Name System (DNS). It is now adding a product to protect enterprises from spear phishing exploits. Key messages Cloudmark s flagship product, Cloudmark Authority, is used by carriers and other service providers to offer anti-spam services to their customers. It claims to protect a billion inboxes from spam with its product. Cloudmark is now launching a product to combat spear phishing. It uses a different set of algorithms from anti-spam and draws information from the company s Global Threat Network to categorize s as suspect. Ovum view Spear phishing is the latest and most sophisticated version of phishing, and as such requires a robust system of defense. There is a relative paucity of products that specifically target this type of attack, so Cloudmark s latest offering is a valuable addition to a still emerging market, and will attract considerable attention from both existing and new customers. Recommendations for enterprises Why put Cloudmark Trident on your radar? Spear phishing is growing as a means of attacking enterprises, because thanks to social media, hackers find it easier to discover relevant information to craft messages that target specific individuals. Cloudmark Trident uses anomalous message detection, as well as behavioral and contextual analysis backed by its Global Threat Network of information, to identify suspicious s before they hit an enterprise user s inbox, and should definitely be considered when selecting an anti-spear phishing platform. Highlights Security products such as secure gateways and network-based sandboxing fail to stop spear phishing, particularly if the offending contains either no payload or URL link at all, or else a highly sophisticated one that cannot readily be identified as malicious. Wire fraud attacks, for instance, commonly use text-only s with no Call to Action (no URL to click on), merely an instruction to the recipient to carry out a wire transfer. These s trigger no alerts from conventional messaging security systems. Another type of spear phishing exploit involves the impersonation of a person or a brand, using subtle changes in spelling such as comwall instead of Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

3 cornwall, which the human eye can frequently overlook. Again, these attacks are not picked up by gateways or sandboxes. With this in mind, and noting that the Target, Sony, Anthem, and JPMorgan breaches all started with a spear phishing , Cloudmark has developed Trident, a product specifically designed to protect enterprises against attacks. Trident is a technology platform that combines a filtering engine that uses algorithms specifically developed to detect spear phishing, rather than those used in anti-virus and anti-spam products, with heuristics as well as contextual and behavioral analysis to determine when an is sufficiently suspicious to trigger an alert to the customer s security analysts. Trident consists of a simple mail transfer protocol (SMTP) agent that deploys on a customer s premises, sitting between their secure gateway (SEG) and their server to provide an extra level of filtering. The agent communicates with Cloudmark s back-end systems in the cloud, where it can draw on threat information from the company s Global Threat Network for information on things like suspicious IP addresses and the reputations of the platforms sending s, all of which contributes to its behavioral analysis. It then presents its findings to the customer s security team via a cloud-based control panel, which the customer also uses for agent configuration and to set security policy. Customers can initially deploy Trident out of band in observation mode, where it sits alongside their existing messaging system and takes no action, so that they can see which of their employees are most often targeted by spear phishing and are therefore in greatest need of protection or additional training. They can then proceed to active mode, in which Trident is in-line between the SEG and the server and takes action on suspect s in accordance with the customer s security policy. It can tag the message header with an advisory that it looks like spear phishing, redirect it into quarantine, send it to the junk mailbox, or to someone in the customer s security team for further analysis. Background Cloudmark was founded to develop messaging security technology in 2001 by software engineers and entrepreneurs Vipul Ved Prakash, who is now at Apple, and Jordan Ritter, who had previously founded Napster. Initially targeting the enterprise market directly, the company subsequently refocused onto the service provider market with its Cloudmark Authority filtering engine, enabling major telcos and cable operators to offer their customers protection from spam. As a result, it currently claims to be protecting about a billion inboxes, with service provider customers including Cox, Comcast, NTT, Vodafone, and Orange. In 2010 Cloudmark acquired Bizanga, a developer of a message processing platform, with a view to offering carriers a service combining processing and security scanning. The company remains privately held and is currently headed by CEO and chairman, George Riedel, who previously held executive positions at Nortel and Juniper. Current position Cloudmark has a portfolio of messaging security technologies centering on , but also including SMS, MMS, and DNS. The service provider market remains its primary focus for marketing these Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

4 capabilities, but it also offers on-premise products for the enterprise market, including an anti-spam plug-in, Cloudmark Server Edition, for the Microsoft Exchange Server. In addition to the service provider route to market, Cloudmark also licenses the Authority filtering engine under OEM agreements to a number of IT security vendors, including Intel s McAfee security arm, Cisco, and ThreatTrack. The company refers to the multiple deployments of the Authority platform as the Cloudmark Global Threat Network, from which it collects, collates and analyzes data to provide threat information to all its products, including the newly launched Trident platform to combat spear phishing. Regarding its plans for marketing Trident, Cloudmark says it will initially go direct to enterprise customers, using a dedicated sales team for this purpose. Later this year it will expand the offering to channel partners such as managed security service providers (MSSP) and traditional security resellers. It already works with a number of these companies, so it should not face the challenge of building a channel before it can get the product to market. Data sheet Key facts Table 1: Data sheet: Cloudmark Product name Cloudmark Trident Product classification Messaging security Version number 1.0 Release date January 2016 Industries covered All enterprise customer segments that are experiencing persistent spear phishing problems. Geographies covered Global Relevant company sizes Large enterprise (1,000+ employees) Licensing options Licensed per seat (per protected user) URL /s/products/cloudmark-trident Routes to market Direct sales as well as via established partners and managed security services providers Company headquarters San Francisco, CA, US Number of employees 150 Source: Ovum Appendix On the Radar On the Radar is a series of research notes about vendors bringing innovative ideas, products, or business models to their markets. Although On the Radar vendors may not be ready for prime time, they bear watching for their potential impact on markets and could be suitable for certain enterprise and public sector IT organizations. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

5 Further reading On the Radar: Niara offers a data-agnostic approach to security analytics, IT (November 2015) On the Radar: SentinelOne, IT (October 2015) On the Radar: RedSeal Cybersecurity Analytics Platform v8, IT (July 2015) Author Rik Turner, Senior Analyst, Infrastructure Solutions rik.turner@ovum.com Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at consulting@ovum.com. Copyright notice and disclaimer The contents of this product are protected by international copyright laws, database rights and other intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our affiliates or other third party licensors. All product and company names and logos contained within or appearing on this product are the trademarks, service marks or trading names of their respective owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced, distributed or transmitted in any form or by any means without the prior permission of Informa Telecoms and Media Limited. Whilst reasonable efforts have been made to ensure that the information and content of this product was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as no liability can be accepted in this regard readers assume full responsibility and risk accordingly for their use of such information and content. Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited. Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

6 CONTACT US INTERNATIONAL OFFICES Beijing Dubai Hong Kong Hyderabad Johannesburg London Melbourne New York San Francisco Sao Paulo Tokyo Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 6